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Developed at Brigham Young University, Fault Tree 
Analysis (FTA) is a technigue for enhancing the probability of 
success in any system by analyzing the most likely modes of failure 
that could occur. It provides a logical, step-by-step description of 
possible failure events within a system and their interaction--the 
combinations of potential occurrences which could result in a 
predetermined undesired event. The analysis for a fault tree begins 
with a precise statement about an undesired event of critical 
importance in a decision making process. This statement stands at the 
top of the tree, and the analysis proceeds downward. Contributing 
failure events are then interrelated by means of "logic gates" (e.g., 
AND and OR) to illustrate the cause and effect relationship which 
results in the undesired event. (A description of the FTA approach 
and its applications is included.) (SB) 
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bf„ST tOFY AVAILABLE 

A FAULT TRSS APPROACH TO AMALYSI3 OF BERAVIORi\L SYSTEMS 

AN OVERVIEW 

There are two basic approaches to analysis : (1) ansilysls in terms 
o£ success or accompllshtaent of system's purpose^ or (2) analysis in 
terms of failure or non-acccmplishment of a system's purpose. A systems 
approach may utilize either success or failure analysis. 

Analysis in terms of success, however. Is much more problematic 
than analysis In terms of failure. Not only is It difficult to achieve 
consensus aa to those design characteristics and functions, the channels 
and interactions, which lead to system success, but experience has shown 
that in complex systems, it is much easier to describe and achieve consen- 
sus as to what constitutes failure. When a system is functioning smoothly, 
it is not at all easy to specify precisely what combinations of events con- 
tribute to this happy state. But when breakdowns occur, they are immediately 
apparent, although their causes and their "downstream" effects may be more 
obscure. 

Fault Tree Analysis (FTA) Is a technique for enhancing the probabil- 
ity of success in any system by analyzing the most likely modes of failure 
that could occur. It provides a logical, step by step description of pos- 
sible failure events within a system and their tnteractions--that is, the 
combinations of potential occurrences which could result in a predett^rmlned 
undesired event (U.E.)* The fault tree was <$o named because the completed 
graphic portrayal of a functional system utilizes a branching process anal- 
ogous to the outline of a coniferous tree. 



It is not ths intent of this paper to present a detailed explana- 
tion of the technique of performing a Fault Tree Analysis. Explanations of 
both qualitative and quantitative analysis, examples of educationr.l and 
tnanagement information applications, and prototype trees may be found in 
Stephens (1972). 

Description of Fault Tree Analysis 
Following is a brief overview of the steps in Fault Tree Analysis. 
It should be noted that the fault tree approach can be used in a more 
simplified, abbreviated form, and still be very useful. In fact, decision 
makers he.ve found that they could derive useful information from any of 
the steps followed in performing a fault tree analysis. 

Qualitative Fault Tree Development 
A fault tree consists of events, interrelated by logic gates, and 
resulting in complex pathways. The analysis begins with the precise state- 
nent of an undesired event (UE) of critical importance. It nay be the 
failure of the entire system, expressed as a failure of the mission; or it 
may be a failure identified with some subsystem or component. In any event, 
it stands at the top of the tree, and the analysis proceeds downward. In- 
puts to the UE become contributing failure events in a cause and effect 
relationship. 

Before discussing the nature of the events, however. It is neces- 
sary to clarify the concept of logic gates. The heart of the fault tree 
approach, and that which differentiates it from other forms of analysld, 
is Che use of logic gates to show the relationships among events. There 
are two principal kinds of logic gates, the AND gate and the OR gate. All 
Other gates used are derivatives of these two. 



The AND logic gate is used when two or more events must coexist in 
order to produce the noregeneral event. The AND gate is symbolixed graph- 
ically by the eynbol | « .In the fault tree, events related by an AND 
gate would be depicted as in Figure 1. 



Figure 1 
THE AMD GATE 
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This would be read: Events B and C must coexist to produce Event A; or, the 
output can occur only if the inputs B and C coexist. The mathematical equi- 
valent of this is A - (bAc). 

In behavioral systems, this relationship most comnonly exists when a 
subsystem or component and one or more backup systems or components exist or 
are possible within the design of the system. This situation occurs much 
lesM frequently in behavioral than in hardware systems, and the implications 
of this will be considered later in this paper In regard to the interpretation 
of the tree. 



The OR logic gate is used when, of two or more possible Inputs to an 
event, an y one alone could produce the output. The graphic symbol for the OR 
gate Is/ In the fault tree, events related by an OR gate would be de- 

picted as lir Figure 2. 

Figure 2 
THE OR GATE 
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This is read: Either B or C alone will produce Event A. The mathematical 
equivalent of this is A " (bVc). 

There are two general kinds of OR gates —the INCLUSIVE OR and the 
EXCLUSIVE OR. In the INCLUSIVE OR situation, either B or C or both could 
result in Event A. In the EXCLUSIVE OR situation, either A or B could pro- 
duce C, but both A and B could not occur simultaneously. 

With either the AND or OR gates, more than two inputs may exist. 
Variations of these gates allow for the specification of complex relation*- 
shipfthere are inhibit gates, priority AND gates which .specify the sequence 
of events, matrix gates, and others. The analysis thus provides precise de- 
scription of conditions as well as modes of relationships, all of which can 



be expressed (oathematically and quantified. 

The other set of basic symbols used In fault tree analysis depicts 
the types of inputs or events. Input and output eventu can be classified 
according to their nature. The following are the most conmonly used syribols 
for fault trees: 



Rectangle: Identifies an event that results from a 

combination of less general fault events through an associated logic gate. 
All events symbolized by rectangles have additional development in the fault 

— 

further development. This could occur when the definition of an event is 
sufficiently explicit to satisfy the purpose of the analysis. It also occurs 
when there is a "primary" failure of a component, analogous to a power failure 
in a telephone system. The decision as to whether the event is a basic one 
or not depends somewhat on the perspective of the analysio. For example, if 
the telephone system itself were being analyzed, then events leading to a 
power failure would be traced in much more detail. However, if a telephone 
is considered one system component within an organizational conanunication 
system, a power failuremight be considered a basic event requiring no further 
analysis. 

Rhombus: "V*. Identifies an event which is not developed 

further due to (a) laclc*^f information, (b) very remote likelihood of occurrence, 
or (c) because time, financial or other constraints preclude further analysis. 
(This symbol should noj^ confused with the diamond used as a decision point 
In flow charting.) 




House : 



Identifies an event that is normally expected to 



occur in the system as defined. When combined with other events, however. 
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it might contribute to a failure event. 

Figure 3 shows a rudimentary fault tree, which is read as follows: 
**Event A can be produced either by Event B or Rvent C or both. Event B 
can be produced only by the coexistence of Events D and E. Event C can be 
produced either by Event F or Event G or both V Event E is a primary or 
basic failure event , and Event F is an event that normally occurs in the 
system, but wliich can contribute to Event C. Events D and G require no 
further analysis. 

Figure 3 

ILLUSTRATION OF A FAULT TREE BRANCH 
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The ^1)0110111 of the tret^*^ for any branch always will have events de» 
plcted by the clixle, rhcnbas, or house. In tLls example, there are C«^o 
branches and three levels of analysis. 

For each given event, which In turn becomes a UE, failure everts con* 
trlbutlng to more general undeslred events can be derived according to sev 
eral models. One approach Is to systematically ask questions regarding 
input, processing, output, and environmental factors; i.e., failures of a 
given component or subsystem may be attributable to failures of input from 
another part of the system, failures of processing within the coiq)onent or 
subsystem Itself, failures of output to another part of the system, or fall* 
ures attributable to an abnormal environment. Inputs may be internal or 
external to the system, but in general, the more proximate the inputs In 
time or space to that failed component, the more powerful the analysis. If 
Internal failure events are really due to events external to the system, they 
will usually show up at the points of interface between the system and Its 
environment. 

Figure 4 can be used to illustrate how failure analysis can be applied to 
a system which operates serially. Events A, B, and C being prerequisite con* 
dltlons to Event D« In 4a the events am assumed to be operating successfully; 
i«e#, for success of D, a single thread of events Is necessary from A to B to C 
to D. In 4b the events are graphically iinalysed for potential failure; that Is, 
failure of D can be caused by failure of either A or B or C or any combination 
of them. 

Figure 5 shows another possible system configuration, using both concur- 
rent and prerequisite conditions for success. Diagram Sa assumes the system to 
be operating successfully. For success of D, the flow of events or Information 
must go from A to B, then to C[ or C2 before D can occur. Diagram Sb shows the 
events as analysed for potential failure, Failure of D can be caused only by 
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Figure 4 

COMPARISON OF ANALYSIS IN SUCCIiiSS S?ACK WITH ANALYSIS IN 
FAILURE SPACE FOR PREREQUISITE EVENTS IN A SERIES 

(a) systtm design 




(b) failure analysis of above system design in 
terms of the failure of event D 



b fails due 
|to failure 
of A or B 




(c) success analysis of system design in terms 
of the success of event D 



D succeeds 
due to suc- 
cess of A & 
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Figure 5 

COMPARISON CK AtWLYSXS IN SUCCICSS SPACJ WITH AI^LYSIS IN 
FAILURR SPACE FOR CONCURRKNI AND PREREQUISITE t VENTS 



(a) sysCem design 



A 




B 










(b) failure analysis of above system design in 
terms of the failure of event D 



D fails due 
to failure 
of A or B 
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Figure 5 
continued 



(c) success analysis of system design in terras 
c£ the success of event D 



D succeeds 
due to suc- 
cess of A & 




failure of and C2 falling concurrently. can be caused by the failure 
of A or B or both; C2 can also be caused by the failure of A or or both. 

In failure analysis, an^ event at the bottom of the tree which passes 
only through OR gates to more general failure events at the top of the tree 
becoaes the same event, in essence, as the top UE. As an example In a be- 
havioral system, or subsystem, such a configuration would occur when the 
flow of information can proceed only through specified channels, with no 
alternatives available In case of breakdowns, malfunctioning, or overloads. 
This Is particularly serious when the system does not provide an alerting 
or aonltorlng mechanism, causing the problems to multiply before corrective 

o 
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action can be taken. It should be appaicnt from Figures 4 and 5, howM/or, 
that even a cursory Inf^p'.cil^n of system configuration will provide Inform- 
ation as to the viability of the system, with consequent implications for 
changes in design and/or procedures « 

Another point to note is that it appears from Figures 4 and 5 that 
analysis for failure is simply the logical reciprocal of anilysis for sue- 
cess. To an extent thii 1:> true, in that experience has shown that reduction 
of the likelihood of an i;ndeslred event frwm occurring can be accomplished 
throrgh changing or monitoring the sequences of events on the primary stra* 
tegic paths determined on a fault tree. 

Recent work with FTA of complex systems, however, has shown that fail- 
ure analysis gives perspectives on a system which go beyond the simple 
logical inversion of success analysis to failure analysis and back again. 
In fact, the FTA methodology itself appears to have a heuristic value, both 
for those participating in the analysis and the managers and other decision 
makers to whom the results and recommendations are communicated. It generates 
questions about the systora which do net occur under the usual crlitions of 
success analysis. Additionally, the methodology, by facilitating consensus 
formation processes of groups, promotes team building activities which, in 
turn, lead to greater productivity. 

Quantitative Fault Tree Development 
Derive one or more stra tp gic paths through quantitative Fault Tree Analysis (FTA) 

Starting with the top UC, rank in order of relative contribution 
(or Importance ) of each of the failure events leading into it (i.e,, each of 
the Inputs), utlll2lng a consensus formation process such as the Delphi tech- 
nique! (For a description of the technique applied to Fault Tree Analysis, 
see Stephens, I972# More general sources are Helner, 1966, Campbell and 
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Hutchln, 1968, and a compreUnsl'..e bibliography complied by the Research 
Management Group of AERA.) 

For all of the Inputs to a single event, deterralne the percentage con* 
trlbuj:lon mde by each event to the more general failure event above It, util- 
izing A cons(*nsue procewS. Percentages iihould sum up to 100 for each event. 

Repeat the above steps for the Inputs to each failure event, working 
systematically down through the tree. 

Decide on a rating scale suitable for use In evaluating the frequency 
(or likelihood ) of occurrence of failure events In the fault tree. (E.g., a 
scale of low, medium, and high might use ratings of .1, .2, and .4 respec- 
tively. Indicating that a "medium" rating Is twice as likely to occur as a 
"low" rating, and that "high" is twice a& likely as "medium." These are 
nominal values only.) 

Determine the appropriate frequency rating for each event at the 
bottom or lowest level only for each branch of the tree. That rating for 
each input to an event is determined Independently of the other Inputs for 
that same event. 

Calculate strategic path values for the tree utilizing the Judgments 
of relative contribution, frequency of occurrence, and logic formulas through 
the logic gates. (For formulas, see Stephens, 1972.) 

Identify strategic paths of interest by inspection. 

Probability as a lueasure of the chance occurrence of events Is usu- 
ally defined mathematically as (a) the area under a curre which is repre« 
eentatlve of the pattern of occurrence of events, (b) the relative frequency 
of occurrence of events in a stochastic process, and (c) the ratio of the 
number of ways an event of interest can occur to the sun of the number of ways 
it can and cannot occur* Strategic path values do not give probabilities in 
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this sense, but they do ropresent a rphttve probabll.itry Ir. the ^tense that. 
they reflect measures of the occurrence of events in terras of how often those 
events night occ ir In the system (fr:?quency) and how Important thuy are If 
and when they do occur (relative contribution). The relationship of the prob- 
ability formulas to logic diagrams Is accomplished via Boolean algebra. 

Although a computer program Is available for deriving strategic paths 
(as well as for drawing the tree), the computations can be done by hand. On 
trees of more than 300-350 inputs, however, this process is too time consuming. 
Even without completing the quantification, however, much valuable informa- 
tion regarding the operation of the system can be gained by simple inspection 
of the tree. 

It is not necessary for most of the team members engaged in quali- 
tatively constructing the tree or quantifying it to know more than the rudi- 
ments of fault tree principles. The main requisite is a good working know- 
ledge of the system under analysis. Team members should represent many dif- 
ferent levels and functions within the organization, as the various "levels 
of visibility*' afforded by different personnel will lead to perspectives 
differing in important respects. These perspectives are dealt with directly 
in the quantification process. Experience has shown that wide divergences of 
opinion can be reconciled without being ignored or subdued. Furthermore, 
the technique accommodates and utilizes both "hard" data and expert opinion. 

An advantage of working with a Fault Tree is that the analyst can account 
for intermittent or fortuitous events while putting the information within 
a context in which reliable Judgments can be made regarding the importance of 
such events and their contribution to failures of communication . Moreover, 
by focusing on the components of the systcim and Its subsystems, rather than 
on Individuals or types of messages, a general picture will emerge as to the 
•xtent to wnieh the system fosters purposeful, goal-oriented communication. 
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or whether it sets up unneces5s;try barriers • 

The degree to which a foimrl annlysi^ in made will depend upon a 
number of factors --tht' rmount of time availahlo for analysis, the commlCnient 
of the organizatioa Co maximizing the communication system, the luportance 
of the analysis to the orc^nizational go^lS| and the perception of management 
of the general health of the vsystem. 

Recommending System Design Changes and/or Monitoring as Needed 
The £inal step in FT/V is to make recommendations based upon the stra- 
tegic path analysis* These may include reallocating resources, installing 
backup systems, providing for monitoring of paths with high failure potential, 
redesigning subsystems, providing for improved communication at interfaces, 
or taking any other corrective action that seems advisable. Displaying the 
fault tree and discussing the strategic paths and their implications with per- 
sonnel at various levels of the organization often will bring excellent sugges- 
tions for improvement and an increase in cooperative effort to work toward 
organizational goals. 

History and Background of FTA 
FTA is an operations research technique in which one form has been used 
with signal success is a major analytical tool of system safety engineering on 
aerospace projects. Rudimentary concepts of FTA originally were developed by 
Bell Telephone Laboratories as a technique for prrfcrming a safety evaluation 
of the Minutemen Launch Control System. Bell engineers discovered that the 
method used to describe the flow of ^^correct^* logic in data processing equip- 
ment could also be used for analyzing the ^^false^* logic resulting from compon« 
ent failures. (Haasl, 1965) The format was also well suited to the application 
of probability theory in order to define numerically the critical fault modes. 
Haasl points out that the Minuteman Safety Study was successfully completed 
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using the new technique, and provided convincing argu.T^f>ntp for the incorpor- 
ation of a number of equipment and procedure raoc'if ications . 

Additional develop.av^nt of the analytical and mathematical techniques of 
Fault Tree Analysis in hardware systoms occurred in the Boeing Company, and 
since it was first introduced in 1961, attempts have been made to apply the 
technique to many different systems inside and outside the company. Some 
of these have been a model of the man/machine interface in a manned space 
system, and analysis of such problems as highway safety and vandalism in the 
schools. For further descriptions of the history and development, see Rricson 
(1970) and Stephens (1972). 

Driesaen (1970) reports the application of FTA (which he calls Cause Tree 
Analysis) to industrial accidents, infant falls, and the like. He pleads for 
a wider application of the technique both to system safety analysis, and to 
psychology and the behavioral sciences. 

Although a limited amount of analysis of human factors has been attempted, 
as in the Boeing man/machine interface of a manned space system, until 1967 
few attempts had been made to apply the «:echnique entirely to behavioral 
systems. This was partly because trained analysts were mainly engineers con- 
cerned with system safety, and partly because no adequate method of defining 
strategic paths (called critical paths in hardware fault trees) had been demon- 
strated. The nature of behavioral systems makes hard probability data diffi- 
cult if not impossible to come by and such concepts as "time to repair" used In 
FTA hardware formulas liave no exact human system counterpart. 

Since 1967, however, the author has successfully applied FTA to a number 
of educational, managerial, and research problems, (Stephens, 1972, Witkin 
with Stephens, 1968), and have taught the technique to others during a two- 
year EPDA project (witkin and Stephens, 1972). 
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An Important breakthrough for FTA of non-hardware systems came with 
the development (Stephens, 1972) of a new quantification scheme for deriving 
strategic paths through the use of subjective probabilities • The viability 
of strategic path analysis for management decisions in educational systems 
was demonstrated through the author's analysis of the vocational educational 
system of the Seattle public schools^ which resulted in a major curriculum 
change • 

Since that time» both qualitative and quantitative FTA have been 
applied by the author^ along with others who have taken FTA training^ to 
other kinds of problems , including school district reorganization^ a com- 
munity college self study » and research project management. Additional 
applications include the formative evalua on of a university instructional 
television research project (Butler, 1972) » and the analysis of communication 
breakdowns in the management of an KSEA Title III project for deaf children. 
FTA was also used as the principal mana(?ement information system for Witkin's 
project in Auditory Perceptual Training^ a three year research utilization 
project. F^:^ will also form the basis for cost/effectiveness analysis of the 
various modes of implementing and adapting the project's instructional materials 
to various media and classroom environments* 

The FTA method used for generating inputs, tends to focus the thinking 
of the group on specifics and to organize all inputs within a systematic 
framework. Moreover, experience with very different kinds of fault trees 
(e.g., vocational education, research project management, community college 
assessment) has shown that the technique has other advantages in a multi* 
disciplinary team effort. 

1. It focuses expert knowledge and judgment from often widely 
disparate disciplines and functions on a common problem and furnishes a 
common language and perspective. 
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2. It can take intu account '.ucu i.greoments and dlvergencoo on tlio 

Inputs and their ImportariOc. 

3. It allows for ccricontrdtlor* e:i o y ^trea of laterest at a timei 
but with the assurance that all other ajf.is will be systematically dealt 
with. 

4* By concent rat inn ou the way inj s>.->r.orn operates , rather than on 
personalities 9 it intrcducci: a non-chrectening atmosphere and encourages a 
freer exchange of Inforniation a»aon;j thi^ tnombnirij. 

A serendipitous ctLvct of VIA ou jii.rticipatlng laembers of an organiza- 
tion has been noticed. Without e>;cepCion, thuse who have actively par* 
ticipater) in working with thi» analy^jt to ar rive inputs for the qualitative 
and quantitative analyiur* Iv.vo jjaiuuu a now jjt'r;7pcctive of the system and 
have turned from somewtiat passive members to active workers for system 
success* In one instance , in a lav^o inetropolitan school system, the FTA 
was 50 successful in engaging the support of the administration for a needed 
curriculum change, that che school board allocated over $200,000 additional 
to the area, at a time or ytringent budg.et cutbacks. It might be added that 
the change was of a nature which would have been hotly fought in the past by 
the very people who became its proponents alter working on the FTA« 

A system approach to analysis must deal with the complexities and inter* 
dependencies which are an inherent part of any behavioral system. A character- 
Istic of systems is that stress in any part of the system will eventually make 
Itself felt in other parts perhaps far removed from the stress point itself. 
It often happens, however, that a problem, such as a breakdown in communication, 
is perceived as having its source in one part of the system when, in fact, its 
^^real^^ causes are elsewhere. 

FTA is capable of dealing with such secondary effects of stress In the 
system, of spotting and analyzing redundant failure events which may have 
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significant cumulative impact, anJ of dfflniu^j intuivcLicns ai.ong ev^^ntr, 
which appear to be unrelatou. Tho quantification process adds power to the 
qualitative analyblvS in accoiaijli^;hini^ tMb. 

To sum up. F'iA has Izcn found utio.tul as the principal analytic method 
under the following coiiditlons : 

•-Whenever undesired events or cuncerns and factors contributing to 
those concerns can be idenuitied; 

•-Whenever differing areas of expertise must be marshalled; 

--Whenever involvement of the members of an organization needs struc- 
ture and systematizing; 

—Whenever a defensible approach to resource allocation within a complex 
system Is needed; 

•-Whenever consensus as to what constitutes success In the system is 
difficult to obtain; 

•-Whenever formative evaluation is necessary; 

•-Whenever the primary and secondary effects of future decisions must 
be analyzed. 

Organizations both private and public often make plans which appear highly 

successful in solving social problems^ only to have disastrous secondary effects 

appear, sometimes 25 years later. In commenting on the need for sophisticated 

tools to predict such secondary effects, V/ilkinson (1972) wryly states, 

« . .on the shaky assumption that ycu can^t act in- 
telligently to solve a problem unless you know something 
about the system of which it is a part, it may eventually 
turn out that a systematic stab at social problems will 
at least enable those who are burdened with responsibility 
to consider such problems intelligently. 

It Is hoped that more decision makers will consider analysis for failure 
as well as analysis for success inVsystem management. 
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